Thread: SQL Injections & Security in PHP
View Single Post
  #2 (permalink)  
Old 09-15-04, 09:32 PM
Eclipse's Avatar
Eclipse Eclipse is offline
Coding Addict
  
Join Date: May 2004
Location: Long Island, New York
Posts: 356
Thanks: 0
Thanked 0 Times in 0 Posts
While i can't inform you about SQL injections I can help you prevent php injections which can be much more harmfull to security ie:
PHP Code:

if(isset($_GET["page"])){

$page $_GET["page"];

$full $page '.php';

include($full);

}else{

include(index.php);
That code can will make a url like yourdomain.com/index.php?page=yourpage then it will try to include yourpage.php if it doesn't exist you just get a 404 but using a php interjection you can modify the url to show your passwords from your server. By changing ?page=yourpage to ?page=.../etc/passwd it would normally look for .../etc/passwd.php and it would not find it causing a 404 but if you follow that with a php NULL charecter the signifies the end of the string {i will not write the NULL charecter for security reasons} it will display your password folder on what would normally be inaacessable via HTTP. You can fix this by using
PHP Code:

if(isset($_GET["page"])){

$page $_GET["page"];

switch($page){

case main:

include(main.php);

break;

case news:

include(newspage.php);

break;

default:

include(index.php);

break;
Hope that helped...
Reply With Quote